From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 3 Aug 2017 10:47:46 -0400 From: Jerome Glisse Message-ID: <20170803144746.GA9501@redhat.com> References: <07063abd-2f5d-20d9-a182-8ae9ead26c3c@huawei.com> <20170802170848.GA3240@redhat.com> <8e82639c-40db-02ce-096a-d114b0436d3c@huawei.com> <20170803114844.GO12521@dhcp22.suse.cz> <20170803135549.GW12521@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20170803135549.GW12521@dhcp22.suse.cz> Subject: [kernel-hardening] Re: [RFC] Tagging of vmalloc pages for supporting the pmalloc allocator To: Michal Hocko Cc: Igor Stoppa , Linux-MM , LKML , linux-security-module@vger.kernel.org, "kernel-hardening@lists.openwall.com" , Kees Cook List-ID: On Thu, Aug 03, 2017 at 03:55:50PM +0200, Michal Hocko wrote: > On Thu 03-08-17 15:20:31, Igor Stoppa wrote: > > On 03/08/17 14:48, Michal Hocko wrote: > > > On Thu 03-08-17 13:11:45, Igor Stoppa wrote: > > >> On 02/08/17 20:08, Jerome Glisse wrote: > > >>> On Wed, Aug 02, 2017 at 06:14:28PM +0300, Igor Stoppa wrote: > > > > [...] > > > > >>>> from include/linux/mm_types.h: > > >>>> > > >>>> struct page { > > >>>> ... > > >>>> union { > > >>>> unsigned long private; /* Mapping-private opaque data: > > >>>> * usually used for buffer_heads > > >>>> * if PagePrivate set; used for > > >>>> * swp_entry_t if PageSwapCache; > > >>>> * indicates order in the buddy > > >>>> * system if PG_buddy is set. > > >>>> */ > > > > [...] > > > > >> If the "Mapping-private" was dropped or somehow connected exclusively to > > >> the cases listed in the comment, then I think it would be more clear > > >> that the comment needs to be intended as related to mapping in certain > > >> cases only. > > >> But it is otherwise ok to use the "private" field for whatever purpose > > >> it might be suitable, as long as it is not already in use. > > > > > > I would recommend adding a new field into the enum... > > > > s/enum/union/ ? > > > > If not, I am not sure what is the enum that you are talking about. > > yeah, fat fingers on my side > > > > > [...] > > > > >> But, to reply more specifically to your advice, yes, I think I could add > > >> a flag to vm_struct and then retrieve its value, for the address being > > >> processed, by passing through find_vm_area(). > > > > > > ... and you can store vm_struct pointer to the struct page there > > > > "there" as in the new field of the union? > > btw, what would be a meaningful name, since "private" is already taken? > > > > For simplicity, I'll use, for now, "private2" > > why not explicit vm_area? > > > > and you> won't need to do the slow find_vm_area. I haven't checked > > very closely > > > but this should be possible in principle. I guess other callers might > > > benefit from this as well. > > > > I am confused about this: if "private2" is a pointer, but when I get an > > address, I do not even know if the address represents a valid pmalloc > > page, how can i know when it's ok to dereference "private2"? > > because you can make all pages which back vmalloc mappings have vm_area > pointer set. Note that i think this might break some device driver that use vmap() i think some of them use private field to store device driver specific informations. But there likely is an unuse field in struct page that can be use for that. Jérôme From mboxrd@z Thu Jan 1 00:00:00 1970 From: jglisse@redhat.com (Jerome Glisse) Date: Thu, 3 Aug 2017 10:47:46 -0400 Subject: [RFC] Tagging of vmalloc pages for supporting the pmalloc allocator In-Reply-To: <20170803135549.GW12521@dhcp22.suse.cz> References: <07063abd-2f5d-20d9-a182-8ae9ead26c3c@huawei.com> <20170802170848.GA3240@redhat.com> <8e82639c-40db-02ce-096a-d114b0436d3c@huawei.com> <20170803114844.GO12521@dhcp22.suse.cz> <20170803135549.GW12521@dhcp22.suse.cz> Message-ID: <20170803144746.GA9501@redhat.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Thu, Aug 03, 2017 at 03:55:50PM +0200, Michal Hocko wrote: > On Thu 03-08-17 15:20:31, Igor Stoppa wrote: > > On 03/08/17 14:48, Michal Hocko wrote: > > > On Thu 03-08-17 13:11:45, Igor Stoppa wrote: > > >> On 02/08/17 20:08, Jerome Glisse wrote: > > >>> On Wed, Aug 02, 2017 at 06:14:28PM +0300, Igor Stoppa wrote: > > > > [...] > > > > >>>> from include/linux/mm_types.h: > > >>>> > > >>>> struct page { > > >>>> ... > > >>>> union { > > >>>> unsigned long private; /* Mapping-private opaque data: > > >>>> * usually used for buffer_heads > > >>>> * if PagePrivate set; used for > > >>>> * swp_entry_t if PageSwapCache; > > >>>> * indicates order in the buddy > > >>>> * system if PG_buddy is set. > > >>>> */ > > > > [...] > > > > >> If the "Mapping-private" was dropped or somehow connected exclusively to > > >> the cases listed in the comment, then I think it would be more clear > > >> that the comment needs to be intended as related to mapping in certain > > >> cases only. > > >> But it is otherwise ok to use the "private" field for whatever purpose > > >> it might be suitable, as long as it is not already in use. > > > > > > I would recommend adding a new field into the enum... > > > > s/enum/union/ ? > > > > If not, I am not sure what is the enum that you are talking about. > > yeah, fat fingers on my side > > > > > [...] > > > > >> But, to reply more specifically to your advice, yes, I think I could add > > >> a flag to vm_struct and then retrieve its value, for the address being > > >> processed, by passing through find_vm_area(). > > > > > > ... and you can store vm_struct pointer to the struct page there > > > > "there" as in the new field of the union? > > btw, what would be a meaningful name, since "private" is already taken? > > > > For simplicity, I'll use, for now, "private2" > > why not explicit vm_area? > > > > and you> won't need to do the slow find_vm_area. I haven't checked > > very closely > > > but this should be possible in principle. I guess other callers might > > > benefit from this as well. > > > > I am confused about this: if "private2" is a pointer, but when I get an > > address, I do not even know if the address represents a valid pmalloc > > page, how can i know when it's ok to dereference "private2"? > > because you can make all pages which back vmalloc mappings have vm_area > pointer set. Note that i think this might break some device driver that use vmap() i think some of them use private field to store device driver specific informations. But there likely is an unuse field in struct page that can be use for that. J?r?me -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-f197.google.com (mail-qt0-f197.google.com [209.85.216.197]) by kanga.kvack.org (Postfix) with ESMTP id E64016B06CB for ; Thu, 3 Aug 2017 10:47:51 -0400 (EDT) Received: by mail-qt0-f197.google.com with SMTP id p48so7072361qtf.1 for ; Thu, 03 Aug 2017 07:47:51 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id p22si30260680qte.548.2017.08.03.07.47.50 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Aug 2017 07:47:50 -0700 (PDT) Date: Thu, 3 Aug 2017 10:47:46 -0400 From: Jerome Glisse Subject: Re: [RFC] Tagging of vmalloc pages for supporting the pmalloc allocator Message-ID: <20170803144746.GA9501@redhat.com> References: <07063abd-2f5d-20d9-a182-8ae9ead26c3c@huawei.com> <20170802170848.GA3240@redhat.com> <8e82639c-40db-02ce-096a-d114b0436d3c@huawei.com> <20170803114844.GO12521@dhcp22.suse.cz> <20170803135549.GW12521@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20170803135549.GW12521@dhcp22.suse.cz> Sender: owner-linux-mm@kvack.org List-ID: To: Michal Hocko Cc: Igor Stoppa , Linux-MM , LKML , linux-security-module@vger.kernel.org, "kernel-hardening@lists.openwall.com" , Kees Cook On Thu, Aug 03, 2017 at 03:55:50PM +0200, Michal Hocko wrote: > On Thu 03-08-17 15:20:31, Igor Stoppa wrote: > > On 03/08/17 14:48, Michal Hocko wrote: > > > On Thu 03-08-17 13:11:45, Igor Stoppa wrote: > > >> On 02/08/17 20:08, Jerome Glisse wrote: > > >>> On Wed, Aug 02, 2017 at 06:14:28PM +0300, Igor Stoppa wrote: > > > > [...] > > > > >>>> from include/linux/mm_types.h: > > >>>> > > >>>> struct page { > > >>>> ... > > >>>> union { > > >>>> unsigned long private; /* Mapping-private opaque data: > > >>>> * usually used for buffer_heads > > >>>> * if PagePrivate set; used for > > >>>> * swp_entry_t if PageSwapCache; > > >>>> * indicates order in the buddy > > >>>> * system if PG_buddy is set. > > >>>> */ > > > > [...] > > > > >> If the "Mapping-private" was dropped or somehow connected exclusively to > > >> the cases listed in the comment, then I think it would be more clear > > >> that the comment needs to be intended as related to mapping in certain > > >> cases only. > > >> But it is otherwise ok to use the "private" field for whatever purpose > > >> it might be suitable, as long as it is not already in use. > > > > > > I would recommend adding a new field into the enum... > > > > s/enum/union/ ? > > > > If not, I am not sure what is the enum that you are talking about. > > yeah, fat fingers on my side > > > > > [...] > > > > >> But, to reply more specifically to your advice, yes, I think I could add > > >> a flag to vm_struct and then retrieve its value, for the address being > > >> processed, by passing through find_vm_area(). > > > > > > ... and you can store vm_struct pointer to the struct page there > > > > "there" as in the new field of the union? > > btw, what would be a meaningful name, since "private" is already taken? > > > > For simplicity, I'll use, for now, "private2" > > why not explicit vm_area? > > > > and you> won't need to do the slow find_vm_area. I haven't checked > > very closely > > > but this should be possible in principle. I guess other callers might > > > benefit from this as well. > > > > I am confused about this: if "private2" is a pointer, but when I get an > > address, I do not even know if the address represents a valid pmalloc > > page, how can i know when it's ok to dereference "private2"? > > because you can make all pages which back vmalloc mappings have vm_area > pointer set. Note that i think this might break some device driver that use vmap() i think some of them use private field to store device driver specific informations. But there likely is an unuse field in struct page that can be use for that. Jerome -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751813AbdHCOrw (ORCPT ); Thu, 3 Aug 2017 10:47:52 -0400 Received: from mx1.redhat.com ([209.132.183.28]:24623 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751656AbdHCOru (ORCPT ); Thu, 3 Aug 2017 10:47:50 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 8BD7F4ACCA Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx09.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=jglisse@redhat.com Date: Thu, 3 Aug 2017 10:47:46 -0400 From: Jerome Glisse To: Michal Hocko Cc: Igor Stoppa , Linux-MM , LKML , linux-security-module@vger.kernel.org, "kernel-hardening@lists.openwall.com" , Kees Cook Subject: Re: [RFC] Tagging of vmalloc pages for supporting the pmalloc allocator Message-ID: <20170803144746.GA9501@redhat.com> References: <07063abd-2f5d-20d9-a182-8ae9ead26c3c@huawei.com> <20170802170848.GA3240@redhat.com> <8e82639c-40db-02ce-096a-d114b0436d3c@huawei.com> <20170803114844.GO12521@dhcp22.suse.cz> <20170803135549.GW12521@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20170803135549.GW12521@dhcp22.suse.cz> User-Agent: Mutt/1.8.3 (2017-05-23) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Thu, 03 Aug 2017 14:47:49 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 03, 2017 at 03:55:50PM +0200, Michal Hocko wrote: > On Thu 03-08-17 15:20:31, Igor Stoppa wrote: > > On 03/08/17 14:48, Michal Hocko wrote: > > > On Thu 03-08-17 13:11:45, Igor Stoppa wrote: > > >> On 02/08/17 20:08, Jerome Glisse wrote: > > >>> On Wed, Aug 02, 2017 at 06:14:28PM +0300, Igor Stoppa wrote: > > > > [...] > > > > >>>> from include/linux/mm_types.h: > > >>>> > > >>>> struct page { > > >>>> ... > > >>>> union { > > >>>> unsigned long private; /* Mapping-private opaque data: > > >>>> * usually used for buffer_heads > > >>>> * if PagePrivate set; used for > > >>>> * swp_entry_t if PageSwapCache; > > >>>> * indicates order in the buddy > > >>>> * system if PG_buddy is set. > > >>>> */ > > > > [...] > > > > >> If the "Mapping-private" was dropped or somehow connected exclusively to > > >> the cases listed in the comment, then I think it would be more clear > > >> that the comment needs to be intended as related to mapping in certain > > >> cases only. > > >> But it is otherwise ok to use the "private" field for whatever purpose > > >> it might be suitable, as long as it is not already in use. > > > > > > I would recommend adding a new field into the enum... > > > > s/enum/union/ ? > > > > If not, I am not sure what is the enum that you are talking about. > > yeah, fat fingers on my side > > > > > [...] > > > > >> But, to reply more specifically to your advice, yes, I think I could add > > >> a flag to vm_struct and then retrieve its value, for the address being > > >> processed, by passing through find_vm_area(). > > > > > > ... and you can store vm_struct pointer to the struct page there > > > > "there" as in the new field of the union? > > btw, what would be a meaningful name, since "private" is already taken? > > > > For simplicity, I'll use, for now, "private2" > > why not explicit vm_area? > > > > and you> won't need to do the slow find_vm_area. I haven't checked > > very closely > > > but this should be possible in principle. I guess other callers might > > > benefit from this as well. > > > > I am confused about this: if "private2" is a pointer, but when I get an > > address, I do not even know if the address represents a valid pmalloc > > page, how can i know when it's ok to dereference "private2"? > > because you can make all pages which back vmalloc mappings have vm_area > pointer set. Note that i think this might break some device driver that use vmap() i think some of them use private field to store device driver specific informations. But there likely is an unuse field in struct page that can be use for that. Jérôme